MF (minority first) scheme for defeating distributed denial of service attacks

The one of the biggest barrier that hinders Internet development is security problem caused by malicious user. In this paper, we deal with distributed denial of service (DDoS) attacks that monopolize network resource, thus result in network or system congestion. Under DDoS attack, its very difficult to provide legitimate users with their fair share of available network resource. This paper proposes MF (minority first) as a traffic metering and control scheme that can provide quick weakness of DDoS attack, while protecting legitimate user's traffic. The key idea of MF scheme is to provide good quality of service (QoS) to sources that use the network resource properly and poor QoS to sources that use network resource so excessively as to result in network congestion. MF scheme is composed of both source-traffic-trunk based metering and queue mapping mechanism for controlling malicious DDoS traffic and legitimate traffic. To show our scheme's excellence, its performance is measured and compared with that of the existing queuing services and static rate-limit through simulation.

[1]  Kevin R. Fall,et al.  Ns: notes and documentation , 1997 .

[2]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[3]  Srinivasan Keshav,et al.  An Engineering Approach to Computer Networking: ATM Networks , 1996 .

[4]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2005, IEEE/ACM Transactions on Networking.

[5]  Yakov Rekhter,et al.  A Provider Architecture for Differentiated Services and Traffic Engineering (PASTE) , 1998, RFC.

[6]  Stuart Harvey Rubin,et al.  Distributed denial of service attacks , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[7]  Sven Dietrich,et al.  Analyzing Distributed Denial of Service Tools: The Shaft Case , 2000, LISA.

[8]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[9]  George Varghese,et al.  Efficient fair queueing using deficit round robin , 1995, SIGCOMM '95.

[10]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[11]  Kevin J. Houle,et al.  Trends in Denial of Service Attack Technology , 2001 .

[12]  Andrew B. Whinston,et al.  Defeating distributed denial of service attacks , 2000 .

[13]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .